In November 2017 Lyyti organized an event where we dove head first into the abyss that is 'how will the GDPR affect the event organizer's work?'. The audience was able to ask questions regarding this issue, and in this help article we have documented those questions and our answers to those questions.
As the interpretation of the regulation is valid only when it's validated by a court of order, we won't accept legal responsibility if you decide to act according to our suggestions or instructions. We have compiled these answers together with a lawyer specialized in data protection, so the answers will not conflict with the law. It is good to remember though that all instructions can change on a case by case basis. A suggestion that works in a marketing event, might not be valid if the context changes to e.g. the pharmaceutical industry or something else as highly regulated. The suggestions we are providing for the questions are literally only that, suggestions, and we always recommend that if anything is unclear, you go through your question or worry with a lawyer specialized in your branch of business. We do hope that these answers can help you with creating events, in making your events GDPR-compliant!
- In all seriousness, can I control my participant lists in the required way, if they are stored in Excel-files?
- What is a safe way to share participant register data? Is email a safe channel?
- If I organize an international event, can I disclose the participant list to the following organizer of the event?
- Should Lyyti renew all contracts?
- In the future, can I keep sending LinkedIn inmail-messages to our target groups?
- Keeping the GDPR regulations in mind, how can I share the participant list of an event to other participants of the same event?
- How can a register controller make sure that the register processor is acting according to regulations? What is a sufficient level?
- Am I allowed to use email lists that people have volunteered their contact information for?
- Are there restrictions on when I am allowed to photograph an event? How do you distinguish between a public event and a closed event?
- How long can I store participant information for?
- When do we need to contact the European Data Protection Supervisor or notify the relevant authorities about breaches with data protection rules?
- What will be the role of Facebook pages, groups and events?
- How can we ask parents to enrol their children and young adults to camps and such? Do you need some kind of proof of guardianship?
- When a union also maintains the register for the local chapters of the union, do the local chapters need to create separate privacy policies?
- Allergy information can be considered sensitive information, should we instead ask for special dietary wishes on the registration form?
- Am I unlawfully transferring personal data to a hotel if I hand over the name list of participants who are staying over at the hotel?
- For how long can we store a student's information in a register after their graduation, e.g. keeping in mind alumni materials and certificates that might be needed later on?
- Is the participant list of training held for our own personnel considered a register of it's own?
- Do I need to shred old participant lists that I've printed on paper?
- We can all log into Lyyti with one username. Should we be worried?
- How can I market new events with contact information gathered at previous events?
- If I accidentally transfer a participant- or client list to the wrong party, will I immediately be fined 20 million euros?
- Is video material a register? We have raw material as well as material published online with added text.
- A pharmaceutical company is sponsoring the event and wants/need information on who they are sponsoring. Can we transfer the information to them?
- Do I need consent from a parent/guardian if I save the contact information of a 16-year old employee in our CRM?
- Can we provide Lyyti with our own Data protection agreement?
- Am I permitted to profile a user by machine-learning, if the user can't be identified using this information?
- What happens when the concerned citizens realize they have all these new rights and want all sorts of information on themselves?
- Do the same rules apply to information and storage of a company's employee information vs. customer information?
- If a society is openly supportive of the rights movement for sexual minorities and wants to send out marketing emails targeted to individuals representing a minority, what kind of stand does the GDPR take at collecting such information?
- In what way should a company protect their usage of personal data registers when the personnel is using an open mobile network?
- What is the process for procedure documentation within small companies? Is there criteria on what should be logged on HR procedures, or can the documentation be informal?
- What kind of things should we consider GDPR-wise if a company is registered outside the EU?
- Saving social security numbers in an excel file to be sent to the tax authority for the purposes of a daily expense allowance and kilometer allowance?
- How do you define a B2B-customer? If the customer is a big corporation, how do you define which employees you can have a customer data list on?
In all seriousness, can I control my participant lists in the required way, if they are stored in Excel-files?
Possibly, if you only have a couple of events per year. Even then you should remember the Life Cycle Assessment of information, and determine what you do with the files after the information has been used. If a participant wishes to check on their information or remove it, the information should be deleted from all databases, even if the information has been sent as an Excel-file to the bus company or the catering firm. Pretty soon you will be faced with the situation that it is impossible to control all the locations of the files with information, unless the information is stored in one easily controlled database.
What is a safe way to share participant register data? Is email a safe channel?
An email is essentially never the most information secure option, but you should also keep in mind the sensitivity of the information you're handling. The best option is to share viewing rights to the information, e.g. through online-reports. In that case the viewer of the report doesn't need to download the information to their computer, and the register won't become shattered.
If I organize an international event, can I disclose the participant list to the following organizer of the event?
Should Lyyti renew all contracts?
The terms of delivery that set the framework conditions for our cooperations (prices, features, liabilities etc.) is still effective and there is no need to update that document. However, since GDPR stipulates that matters on data security are contractualized and our current Terms of delivery doesn't cover data security issues, our terms will be updated with a Data protection appendix which defines how and for what purpose Lyyti handles your data. We are in the process of sending out this data protection appendix to all our customers.
If a customer has a DPA of their own or need to make changes in the DPA we've sent out, we will go over them case by case. Note that for us to be able to make changes in our DPA or negotiate about using the customer's own custom DPA, the customer needs to have an Enterprise license of Lyyti.
In the future, can I keep sending LinkedIn inmail-messages to our target groups?
As for now, the regulations that GDPR brings us has not stipulated any rules in regards to this sort of communication. However, there is a EU Privacy-directive still in the making that will be taking a stand on the matter. You can read more about it here:
Keeping the GDPR regulations in mind, how can I share the participant list of an event to other participants of the same event?
How can a register controller make sure that the register processor is acting according to regulations? What is a sufficient level?
We recommend that you ask the processor for their documentation on their data security plans, the technical execution of data security, data security policies and any audit reports. If the documentation on these issues is lacking or shows that the processor does not have a serious and professional handle on things, you should take that as a warning sign. As there is no unanimous level of standard for these issues, it is not possible to give any standardized instructions on this.
Am I allowed to use email lists that people have volunteered their contact information for?
Are there restrictions on when I am allowed to photograph an event? How do you distinguish between a public event and a closed event?
You are allowed to have photos taken at your event, but you are not always necessarily allowed to use photos from that event. If the person can objectively be identified from a picture (e.g. someone else other than the subject of the photograph can identify them), you should have consent for commercial use of the photo. The photos can be used as editorial material by the press, as long as the photos are related to the article subject. At the event registration you can mention that there will be a photographer at the event, explain how the photos will be used and ask for consent for further use of said photos.
How long can I store participant information for?
It depends on the nature of the information. Event specific information that you don't need after the event has ended should be removed as soon as the information is no longer needed for the successful organization and follow-up of the event. It is however possible that you have a so called 'legal right' to some of the information. If the participation to an event creates an invoice, this information needs to be stored for a minimum of six years according to the bookkeeping act. On the other hand, the same event might have gathered information on e.g. shoe sizes and food allergies, and there is no need to store this kind of information for any long periods of time. You should always, when possible, follow the principle of data minimization.
When do we need to contact the European Data Protection Supervisor or notify the relevant authorities about breaches with data protection rules?
There is no clear stand on this issue, but the minimum requirement is that when you can assume that leaked information might cause the person in question harm, you should notify the relevant supervisory authority without undue delay. Our policy is to rather be safe than sorry, and it's a better idea to contact the relevant autorities than to not contact them. This policy will probably form as we go along with the GDPR and the EDSP's office has time to evaluate cases.
What will be the role of Facebook pages, groups and events?
How can we ask parents to enrol their children and young adults to camps and such? Do you need some kind of proof of guardianship?
The GDPR recognizes that minors deserve specific protection of their personal data, and it has certain regulations concerning consent provided by minors and places limits on their ability to consent to data processing without parental authorization. In short, in an online context, the age for consent is by default 16 years of age. However, member states are given the option to set the age of consent to as low as 13 years. When the minor is younger than the specified age, verifiable parental or guardian consent will be required where consent for a child/minor is needed.
This is first and foremost a way of protecting children and young adults of signing off on their information without understanding the extent of where their information is being stored or how it's being used. When a child is enrolled to e.g. a camp, a sufficient level is that the child can't enrol themselves, but it is done by a parent/guardian. In the registration you can have a checkbox that has a text of consent that states the person registering has the right to enrol a minor to that event.
When a union also maintains the register for the local chapters of the union, do the local chapters need to create separate privacy policies?
Allergy information can be considered sensitive information, should we instead ask for special dietary wishes on the registration form?
This is in fact the exact same thing you are asking for, only the wording is different. For a successful and safe event, it is crucial to have a list of e.g serious allergies. We can't stress enough for the organizer to have a serious frame of mind when it comes to anyone's physical safety. Instead promptly and clearly ask for any required information and remove it from the register when the event has been completed safely.
Am I unlawfully transferring personal data to a hotel if I hand over the name list of participants who are staying over at the hotel?
For how long can we store a student's information in a register after their graduation, e.g. keeping in mind alumni materials and certificates that might be needed later on?
It is not possible to give a definitive answer to this question, as some learning institutions are obligated by law to save information for the specific purpose of verifying qualifications. This is something we recommend checking with a lawyer.
Obviously information not relating to qualifications, such as what the person wanted to order for the alumni Christmas party dinner is not information that needs to be stored for years on end.
Is the participant list of training held for our own personnel considered a register of it's own?
Technically no. This information is part of the register you have on your personnel.
Do I need to shred old participant lists that I've printed on paper?
If you have no valid reason to save that information (e.g. financial management requirements, legal right etc.), your job will be a whole lot easier if these lists don't exist. If a participant wants to check what kind of information you've collected on them, you need to include the information in the paper printouts as well.
We can all log into Lyyti with one username. Should we be worried?
Our recommendation is that by May 2018 at the latest there are no more 'communal' usernames in Lyyti. We are obligated to show what information has been handled, by whom, and with a shared username this is technically not possible.
How can I market new events with contact information gathered at previous events?
If I accidentally transfer a participant list or client list to the wrong party, will I immediately be fined 20 million euros?
Probably not, as the authority in the matter have other ways of handling breaches such as guidance, warnings, and suspension of data. The big fines are mostly meant as a deterrent for large players, criminal activity and gross negligence of the regulation.
Is video material a register? We have raw material as well as material published online with added text.
If the people in the video are recognizable, then that's a register. We recommend using the same guidelines for videos as for photographs, please see answer regarding photos taken at an event.
A pharmaceutical company is sponsoring the event and wants/need information on who they are sponsoring. Can we transfer the information to them?
Do I need consent from a parent/guardian if I save the contact information of a 16-year old employee in our CRM?
Can we provide Lyyti with our own Data protection agreement?
If you have a Lyyti Enterprise-license, then we can use a DPA provided by our customer.
Am I permitted to profile a user by machine-learning, if the user can't be identified using this information?
If the person can't be recognized from this data and it is for keeping statistics, it's not a personal data register. But if the person at a later point in time gives information about themselves that can be used to connect them to previous saved data, this profiling data file becomes part of the personal data register.
Every time the privacy policies and the use of the data differ greatly from one another, it is a good idea to create separate privacy policies. As an example, you collect very different kind of data on employees as opposed to e.g. prospects.
What happens when the concerned citizens realize they have all these new rights and want all sorts of information on themselves?
Let's put on our best customer service smile, and keep it until the end of the contact. This question has surely been asked because someone was worried about the workload when hundreds or thousands of participants are asking for the data you've collected on them. Obviously this scenario is something you can and should prepare for, but it's probably not a realistic scenario. What you should do is prepare your team, so that you can easily help the people asking for their information. That should make those concerned citizens happy, as they can be assured that you have all the necessary tools to easily help them with their query, and they realize that you are taking information safety seriously.
Do the same rules apply to information and storage of a company's employee information vs. customer information?
When the registers' differ from one another greatly, it's a good idea to make separate privacy policies. As an example, you store very different kinds of information on employees than on prospects.
If a society is openly supportive of the rights movement for sexual minorities and wants to send out marketing emails targeted to individuals representing a minority, what kind of stand does the GDPR take at collecting such information?
The nature of why you are collecting such information per se does not automatically grant you permission to do so. Exceptions can be found though, here is the GDPR art. on Processing of special categories of personal data.
1) Prohibited per se (Art. 9 GDPR, 1)
2) Several of the exceptions cited in section 2 might apply, and usage of said exceptions are naturally at the discretion of the register controller, but as a rule I might suggest that the participants should be members of the society. Otherwise it might be hard to think of a reason why this society is collecting information on whether or not the participant is a member of a sexual minority, if the participants aren't members of said society.
a. Section a is the most likely scenario, but you might want to check that with a lawyer who is familiar with the specific branch of activity the society is working within.
b. Section d applies if the action is perceived as political (we can't say which actions could be perceived as philosophical, but that might apply as well?)
c. In some cases also section e, but it's probably impossible to control who has made that information public.
Art. 9 GDPR
Processing of special categories of personal data
- Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
- Paragraph 1 shall not apply if one of the following applies:
a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
e) processing relates to personal data which are manifestly made public by the data subject;
f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
- Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.
- Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.
In what way should a company protect their usage of personal data registers when the personnel is using an open mobile network?
This question is more about how data security is carried out rather than a question on how GDPR should be implemented. We at Lyyti have staff who work away from the office, and we've taken the following steps to ensure safe data handling: Some features can only be accessed when logged into our company IP at the office, and if you're traveling, you need to use the company VPN. We've also made sure that only those people with a need to know can access certain parts of our client information, and we've made sure that there are no unnecessary users in the system.
What is the process for procedure documentation within small companies? Is there criteria on what should be logged on HR procedures, or can the documentation be informal?
The question probably has to do with how data security processes are documented and logged. There is no clear answer for this, and the demands aren't dependent on how large the company is. Instead, at the root of everything, there should be an understanding of the risks on specific personal data. On the other hand, the smaller the company, the less processes are involved, less information is gathered and there is a smaller amount of people who have access to that information.
What kind of things should we consider GDPR-wise if a company is registered outside the EU?
If a company isn't registered within the European Union (no office or HQ), but serves clients within the EU area, these companies are still bound by the GDPR.
Saving social security numbers in an excel file to be sent to the tax authority for the purposes of a daily expense allowance and kilometer allowance?
We gather that this question is regarding whether or not this list is a personal data register or not. It is, as it is not the technology that defines whether or not a data is a personal data register, but the content of the data. You might want to consider whether there's a safer way of collecting a large amount of sensitive information than an excel-list.
How do you define a B2B-customer? If the customer is a big corporation, how do you define which employees you can have a customer data list on?
When two legal persons do business with each other, it's considered B2B-trading. It's a company buying from another company, in short. This question probably has to do with 'when is a personal data register formed'? If you have a CRM-system with only company names and business IDs, there is no personal data register. However, when you've collected contract contacts' information, it becomes a personal data register. In the register, you are allowed to store information for such people that you need to fulfill your obligations. These can be contacts for financial management, a buyer, a contact person, the user of your product etc. But remember, you can only collect and store such data on them that are relevant to your obligations and duties being fulfilled.
Our cooperation partners with data security issues:
Lexperience / Elina Koivumäki and LRHTO / Kimmo Kajander.